It seems to me that the botnet can appear to be "largely" dormant even when it's active... because actual attack traffic would just be sent directly, instead of through Tor. Only the command and control traffic needs to be hidden in order to protect the botnet from a law enforcement take down.

It seems to me that the botnet can appear to be "largely" dormant even when it's active... because actual attack traffic would just be sent directly, instead of through Tor. Only the command and control traffic needs to be hidden in order to protect the botnet from a law enforcement take down.

Depends what it's used for, if it send spam or DoS I agree is sent directly, but if it send info about password and data of the zombies it could be a big traffic for tor

Well, if Mevade.A is using zombies on Tor could it please at least have them serve as relays?

Unfortunately, Tor might not be able to handle such an influx of relays. There was a thread on their mailing list recently about defaulting high bandwidth clients to relays, but among other problems there are some scalability issues.

Well, if Mevade.A is using zombies on Tor could it please at least have them serve as relays?

Unfortunately, Tor might not be able to handle such an influx of relays. There was a thread on their mailing list recently about defaulting high bandwidth clients to relays, but among other problems there are some scalability issues.

The first is that these botnets "grow the haystack" as someone mentioned earlier, making it much harder to trace an individual connection.

The second is that a large enough botnet is capable of achieving a 51% attack, which means that if a C&C server was captured by a government agency that has no qualms about abusing its power, the anonymity of Tor is rendered null.

So are these botnet instances something which can be detected by Malwarebytes or other anti-malware / anti-virus software? I don't get how they get so large.. are there really that many unpatched & unprotected systems out there?

How many computers are even present in Vatican City? It probably wouldn't take long to check them all.

EDIT: Also, jeez, why are people so intent on voting this comment down? At least have the decency of writing out why you disagree. The geographic information is an important piece of evidence on figuring out what is going on here.

The second is that a large enough botnet is capable of achieving a 51% attack, which means that if a C&C server was captured by a government agency that has no qualms about abusing its power, the anonymity of Tor is rendered null.

Thats a good point considering how Tor nodes have more than doubled recently, which most of increase apparently because of this single botnot. Could that one botnot use it's numbers to render Tor useless for anonymity of everyone else?

The second is that a large enough botnet is capable of achieving a 51% attack, which means that if a C&C server was captured by a government agency that has no qualms about abusing its power, the anonymity of Tor is rendered null.

Thats a good point considering how Tor nodes have more than doubled recently, which most of increase apparently because of this single botnot. Could that one botnot use it's numbers to render Tor useless for anonymity of everyone else?

The second is that a large enough botnet is capable of achieving a 51% attack, which means that if a C&C server was captured by a government agency that has no qualms about abusing its power, the anonymity of Tor is rendered null.

Thats a good point considering how Tor nodes have more than doubled recently, which most of increase apparently because of this single botnot. Could that one botnot use it's numbers to render Tor useless for anonymity of everyone else?

How many computers are even present in Vatican City? It probably wouldn't take long to check them all.

EDIT: Also, jeez, why are people so intent on voting this comment down? At least have the decency of writing out why you disagree. The geographic information is an important piece of evidence on figuring out what is going on here.

Malware is targeted by language, OS version, economics, etc all of which are highly related to geography.

Example. Malware targets Windows XP. Greatest number of XP users are in China. That does not mean China created the malware or that China is being specifically targeted.

How many computers are even present in Vatican City? It probably wouldn't take long to check them all.

EDIT: Also, jeez, why are people so intent on voting this comment down? At least have the decency of writing out why you disagree. The geographic information is an important piece of evidence on figuring out what is going on here.

Malware is targeted by language, OS version, economics, etc all of which are highly related to geography.

Example. Malware targets Windows XP. Greatest number of XP users are in China. That does not mean that China themselves created the malware.

How many computers are even present in Vatican City? It probably wouldn't take long to check them all.

EDIT: Also, jeez, why are people so intent on voting this comment down? At least have the decency of writing out why you disagree. The geographic information is an important piece of evidence on figuring out what is going on here.

Malware infections are frequently very geolocalized because they were installed through baits written in specific languages targeting specific events, like recent local news, likely to generate clickthroughs, or they were drivebys installed on poorly maintained small time websites that often have very specific group of visitors. And as for the Vatican, it is interesting, and POSSIBLE it is some computer in their spooky library or whatever, but it's also just as likely that the geoIP info is approximate and it's just in Rome.

That is not to say it can't be the actions of a government passing over some countries (Passover pun? You decide) but it is not at all inconsistent with normal malware botnets.

How many computers are even present in Vatican City? It probably wouldn't take long to check them all.

EDIT: Also, jeez, why are people so intent on voting this comment down? At least have the decency of writing out why you disagree. The geographic information is an important piece of evidence on figuring out what is going on here.

Malware infections are frequently very geolocalized because they were installed through baits written in specific languages targeting specific events, like recent local news, likely to generate clickthroughs, or they were drivebys installed on poorly maintained small time websites that often have very specific group of visitors. And as for the Vatican, it is interesting, and POSSIBLE it is some computer in their spooky library or whatever, but it's also just as likely that the geoIP info is approximate and it's just in Rome.

That is not to say it can't be the actions of a government passing over some countries (Passover pun? You decide) but it is not at all inconsistent with normal malware botnets.

The thing is, it isn't geolocalised. Its geolocation is literally *everywhere in the world, except Israel, China (while Hong Kong and Taiwan *are* affected, despite being so much smaller, did our botnetter care that much more about those places while he couldn't be bothered with the most populous country in the world?), and Iran*. This seems an extremely weird targetting strategy to me.

If the concern with Vatican city is possible confusion with Rome (which I feel is unlikely), there's also the example of the Falklands:

The second is that a large enough botnet is capable of achieving a 51% attack, which means that if a C&C server was captured by a government agency that has no qualms about abusing its power, the anonymity of Tor is rendered null.

Thats a good point considering how Tor nodes have more than doubled recently, which most of increase apparently because of this single botnot. Could that one botnot use it's numbers to render Tor useless for anonymity of everyone else?

Given that they are *clients* and not *nodes*, this seems unlikely.

Anything that increases the amount of useless data the NSA will be keeping in that new data center in Utah is a plus.

Well, if Mevade.A is using zombies on Tor could it please at least have them serve as relays?

Unfortunately, Tor might not be able to handle such an influx of relays. There was a thread on their mailing list recently about defaulting high bandwidth clients to relays, but among other problems there are some scalability issues.

Ok, so make half relays and half entrance/exit nodes...

Ugh, god. Not only does your aunt's ancient PC have this malware on it, but to law enforcement it looks like it's occasionally downloading kiddie porn and visiting jihadist websites.

The thing is, it isn't geolocalised. Its geolocation is literally *everywhere in the world, except Israel, China, and Iran*. This seems an extremely weird targetting strategy to me.

The widespread nature would prove my point. This is clearly not a focused attack on any one group, but an effort to gain access to as many machines as possible.

Insecure computers are located everywhere in the world. China and Iran both have extreme control over internet access points in their country with sophisticated firewalls in place, they make it difficult to use tor in the first place. If your botnet was primarily located in China this would make Tor a poor delivery choice.

Rest assured, there is nothing China, Israel, and Iran all agree upon. Correlation does not equal causation and there are many more reasonable explanations if you stop picking random data to reach a foregone conclusion.

The thing is, it isn't geolocalised. Its geolocation is literally *everywhere in the world, except Israel, China, and Iran*. This seems an extremely weird targetting strategy to me.

The widespread nature would prove my point. This is clearly not a focused attack on any one group, but an effort to gain access to as many machines as possible.

Insecure computers are located everywhere in the world. China and Iran both have extreme control over internet access points in their country with sophisticated firewalls in place, they make it difficult to use tor in the first place. If your botnet was primarily located in China this would make Tor a poor delivery choice.

Rest assured, there is nothing China, Israel, and Iran all agree upon. Correlation does not equal causation and there are many more reasonable explanations if you stop picking random data to reach a foregone conclusion.

So what about Israel? To our knowledge Israel has no such block, so then what's your explanation? In which case, why is a widespread effort to gain access to as many machines as possible omitting Israel in particular?

I'm saying that you need to look at the data here - there is data that exists, and it is strange. I don't think you can just blithely ignore it. Sure, insecure computers are located everywhere, but the level of security varies a lot across countries, and the sorts of websites people visit to get infected also varies. You'd expect, for example, for the size of the increase to be correlated to the level of security. Russia, well known for terrible cybersecurity, should not have the same level of increase as the UK, but it does. Vatican city is essentially run by a single administration, and one would think that therefore they would have at least a consistent level of IT security, and greatly divergent internet usage habits to most nations. But they too are infected. Truly, where *are* people getting this stuff onto their computers, that happens to be frequent by poor folks in lesotho *and* rich folks in Hong Kong?

This is what the global distribution of malware infections look like. This 'botnet' doesn't look anything like this.

The thing is, it isn't geolocalised. Its geolocation is literally *everywhere in the world, except Israel, China, and Iran*. This seems an extremely weird targetting strategy to me.

The widespread nature would prove my point. This is clearly not a focused attack on any one group, but an effort to gain access to as many machines as possible.

Insecure computers are located everywhere in the world. China and Iran both have extreme control over internet access points in their country with sophisticated firewalls in place, they make it difficult to use tor in the first place. If your botnet was primarily located in China this would make Tor a poor delivery choice.

Rest assured, there is nothing China, Israel, and Iran all agree upon. Correlation does not equal causation and there are many more reasonable explanations if you stop picking random data to reach a foregone conclusion.

So what about Israel? To our knowledge Israel has no such block, so then what's your explanation? In which case, why is a widespread effort to gain access to as many machines as possible omitting Israel in particular?

I'm saying that you need to look at the data here - there is data that exists, and it is strange. I don't think you can just blithely ignore it. Sure, insecure computers are located everywhere, but the level of security varies a lot across countries, and the sorts of websites people visit to get infected also varies. You'd expect, for example, for the size of the increase to be correlated to the level of security. Russia, well known for terrible cybersecurity, should not have the same level of increase as the UK, but it does. Vatican city is essentially run by a single administration, and one would think that therefore they would have at least a consistent level of IT security, and greatly divergent internet usage habits to most nations. But they too are infected. Truly, where *are* people getting this stuff onto their computers, that happens to be frequent by poor folks in lesotho *and* rich folks in Hong Kong?

This is what the global distribution of malware infections look like. This 'botnet' doesn't look anything like this.

If this isn't at all strange to you, then you are a deeply incurious person.

Correct me if I’m wrong.. but this new data represents new TOR client activations and not botnet instances.

So the Vatican instances could just be uninfected PCs which are now using TOR. It may also be that the botnet controllers are only using TOR in particular regions or that they rolled out certain regions previously as a test.